Under both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Gramm-Leach-Bliley Act, LifeWise must take measures to protect the privacy of our members’ personal information. In addition, other state and federal privacy laws may provide additional privacy protection. Personal information includes the member’s name, Social Security number, address, telephone number, account number, employment, medical history, health records, and claims information. Learn more about our member privacy practices.
Here you’ll find HIPAA information specific to providers.
CMS Version 5010 Website
The Administrative Simplification part of HIPAA aims to reduce administrative costs in the healthcare industry through adopting and using standardized, electronic transmission of administrative and financial data.
Administrative Simplification encompasses five key elements:
HIPAA privacy regulations require standards that protect the privacy of PPI. These rules include strict limits on how information can be used and disclosed.
HIPAA's Administrative Simplification provisions also require security standards to protect health information transmitted or stored electronically. The regulations require physical, technical and procedural safeguards to keep electronic healthcare information secure.
Providers, healthcare payers and clearinghouses must use "standard" formats to exchange healthcare transactions electronically.
The standard formats for HIPAA transactions are the American National Standards Institute (ANSI) ASC X12N, Version 4010A1. These formats apply to the following common business functions:
Electronic data exchange will require using standard code sets. The medical code sets used to identify data include:
The non-medical code sets include codes for place of service, revenue codes, relationship and more.
Standard national identifiers are assigned to providers, employers and health plans. These "unique identifiers" will permit electronic data exchange and matching for all health insurance related transactions.
While we are committed to collaborating with our doctors and providers on issues related to HIPAA that affect our business relationships, we cannot take responsibility for ensuring that our providers' business processes and practices comply with the law. Because of HIPAA's complexities, we recommend that you seek legal counsel to determine your obligations under this act.
The privacy regulation requires covered entities to protect PPI and grant individuals other rights described below, without creating obstacles to care and treatment. It applies to information that is transmitted electronically, orally or on paper.
Full text of regulation
HIPAA states that other federal and state laws that provide more personal privacy protection still apply. LifeWise must also consider:
Accounting of DisclosuresA person has the right to request an accounting of disclosures made outside a covered entity's routine business functions. LifeWise's routine business functions include payment and healthcare operations, while providers' routine business functions would also include treatment.
AuthorizationIn most cases, a covered entity must obtain written authorization from the person before using or disclosing his or her PPI for other than routine business functions.
In most cases, our interactions with you will be business as usual. Generally, PPI can be shared between doctors, other providers and the health plan as we carry out "routine business functions" which include the following activities:
Business AssociatesIn most instances, healthcare providers are not the business associates of the health plan, so there won't be changes to your contracts with LifeWise. LifeWise has developed its standard Business Associate Agreements and will be working with vendors and contractors over the next few months to implement them.
ComplaintsIndividuals have the right to complain to a covered entity and to the U.S. Department of Health and Human Services (DHHS) Secretary if they believe their privacy rights have been violated.
Confidential CommunicationsIndividuals have the right to request that a covered entity communicate with them at an alternate location if they believe that disclosing all or part of their health information could endanger them.
Inspection and AmendmentA person has the right to request to review, obtain copies and amend their PPI.
Minimum NecessaryWhen requesting or disclosing information, covered entities must ensure that they ask for or disclose the minimum amount of PPI needed to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPI is limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).
Parents and MinorsIn most situations, parents have control over the health information of their minor children. In certain situations, however, state laws give minors rights that take precedence over HIPAA privacy regulations. In some circumstances, state public health and insurance laws prohibit health plans from disclosing sensitive information such as PPI relating to chemical dependency, mental health, reproductive health, HIV/AIDS/STDs - unless the person's specifically authorizes us to do so.
Privacy NoticeAll covered entities must provide notice of a patient's privacy rights as well as their privacy practices.
Privacy OfficialA covered entity must designate a "Privacy Official" responsible for developing and implementing its privacy policies and procedures.
ResearchCovered entities can use a single authorization form for using and disclosing PPI for research, as well as informed consent for the research.
Uses and Disclosures for FDA Regulated ProductsCovered entities can disclose PPI to the FDA for public health purposes relating to quality, safety or effectiveness of FDA-regulated products or activities. This includes reporting adverse events and defects or problems with FDA-regulated products.
HIPAA requires that covered entities choosing to exchange data electronically use the standard transactions, including code sets and unique identifiers.
Unique identifiers that HIPAA requires standardized:
National Provider Identifier (NPI)
The NPI is a unique identification number for healthcare providers to use with administrative and financial transactions.
National Employer Identifier (EIN)
The EIN is a unique identification number for employers and employer groups. The employer tax ID number (TIN) assigned by the IRS was adopted as the EIN.
National Health Plan Identifier (HPIN)
The HPIN is a unique identification number for health plans
For questions about HIPAA Transaction-related regulatory compliance (Transactions, Code Sets, National Identifiers, and Security) call the Centers for Medicare and Medicaid (CMS) at 410-786-4232 (local) or 866-282-0659.
If you intend to submit claims and conduct other HIPAA transactions electronically, you need to understand the costs involved in complying with standard formats. As you plan your HIPAA compliance strategy, we want to emphasize the importance of maintaining flexibility in your electronic transaction options - regardless of whether you intend to use a clearinghouse service, submit the transactions directly to a payer or some combination of both.
First, you must understand your PMS vendor's approach to HIPAA compliance, which generally falls into two categories:
Questions To Ask PMS Vendors
If your PMS vendor will not provide the necessary transaction flexibility, there are alternatives that do not require switching to a new office management system. Several vendors offer software packages that will extract claims from practice management systems and:
Need a Trading Partner Agreement
Contact the EDI team at 800-596-3440 or via email at email@example.com
Need an ASNI Implementation Guide?
You can find guides on the Washington Publishing website
Centers for Medicare & Medicaid Services (CMS)
HIPAA Privacy Rule Summary
DHHS Administrative Simplification
DHHS Designated Standard Maintenance
HIPAA Implementation & Advisory Groups
Strategic National Implementation Process (SNIP)
Workgroup for Electronic Data Interchange (WEDI)
Data Standards Maintenance Organizations
American Dental Association (ADA)
American Standards Committee (ASC) X12
Health Level Seven (HL7)
National Council for Prescription Drug Programs (NCPDP)
National Uniform Billing Committee (NUBC)
National Uniform Claim Committee (NUCC)
National Healthcare Accrediting Bodies
Electronic Healthcare Network Accreditation Commission (EHNAC)
Joint Commission on Accreditation of Healthcare Organizations (JHACO)
National Committee for Quality Assurance (NCQA)
Other HIPAA Resources
American Health Information Management Association
American Medical Association (AMA)
Oregon State Dental Association
Oregon State Medical Association